Splunk Search

How to edit my search to add a trend line to a Splunk line chart?

steveskinner
New Member

Hi,

I'm trying to add a trend line to my splunk line chart, but no trend line is appearing.

Original search string:

(host="pvawbdqt01.xxx.co.uk") index="bluedoor_query_tool_perfmon" source="Perfmon:Processor" counter="% Processor Time" | 
replace "pvawbdqt01.xxx.co.uk" with "pvawbdqt01" in host | 
timechart max(Value) by host

New updated string that's not producing trend line:

(host="pvawbdqt01.xxx.co.uk") index="bluedoor_query_tool_perfmon" source="Perfmon:Processor" counter="% Processor Time" | 
replace "pvawbdqt01.xxx.co.uk" with "pvawbdqt01" in host | 
timechart max(Value) as max_value by host | trendline sma5(max_value) as trend

Can someone please explain how I get the trend line to work please?

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The trendline command applies on a field existing on the result set. In your search, after the timechart command, the available fields are _time and fields with name same as host, so the max_value field doesn't exist and the trendline doesn't work.

Assuming that you're running this search for just one host ("pvawbdqt01.xxx.co.uk" per you search in the question), try something like this

(host="pvawbdqt01.xxx.co.uk") index="bluedoor_query_tool_perfmon" source="Perfmon:Processor" counter="% Processor Time" | 
 replace "pvawbdqt01.xxx.co.uk" with "pvawbdqt01" in host | 
 timechart max(Value) as max_value by host | trendline sma5(pvawbdqt01) as trend

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

The trendline command applies on a field existing on the result set. In your search, after the timechart command, the available fields are _time and fields with name same as host, so the max_value field doesn't exist and the trendline doesn't work.

Assuming that you're running this search for just one host ("pvawbdqt01.xxx.co.uk" per you search in the question), try something like this

(host="pvawbdqt01.xxx.co.uk") index="bluedoor_query_tool_perfmon" source="Perfmon:Processor" counter="% Processor Time" | 
 replace "pvawbdqt01.xxx.co.uk" with "pvawbdqt01" in host | 
 timechart max(Value) as max_value by host | trendline sma5(pvawbdqt01) as trend

steveskinner
New Member

That has done the trick - many thanks for your help on this :O)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...